[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL: access to all values vs. to value

To: Dora Paula <deepee@gmx.net>
Subject: Re: ACL: access to all values vs. to value
From: Gavin Henry <ghenry@suretec.co.uk>
Date: Sat, 11 Aug 2012 01:18:50 +0100
Cc: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
In-reply-to: <502594F0.3000706@gmx.net>
References: <5023E46A.7030803@gmx.net> <CAPcb_GJeYghcX1yMxzPVmSTMqmA31AqQK+yfXDFnDaTZTSktYg@mail.gmail.com> <502594F0.3000706@gmx.net>

> Gavin Henry wrote:
>>> is there a possibility to create an acl statement that grants access to any
>>> (unknown) value of an attribute but denys access to all values of the same
>>> attribute?
>>
>> Can you explain that again?
>
> BTW: Your answer didn't find its way into the openldap-technical archive:
> http://www.openldap.org/lists/openldap-technical/201208/threads.html
>
>
> Nevertheless, please let me

Yes, sorry. There was an email issue today.

So you mean the attribute should always be present?

That is normally part of the objectClass definition, ie MUST.

I can't think of a way to do it with ACLs. Anyone else?

That's got me thinking. What if you have dynamic group based ACLs,
based on say 'o' and the owner of the entry has self write. They could
add another 'o' attribute putting themselves into an additional group
(depending on the objectclass)? I suppose you just make that attribute
read only.

Gavin.

References:
- ACL: access to all values vs. to value
  - From: Dora Paula <deepee@gmx.net>
- Re: ACL: access to all values vs. to value
  - From: Dora Paula <deepee@gmx.net>

Prev by Date: Re: ACL: access to all values vs. to value
Next by Date: access to inherited attributes
Index(es):
- Chronological
- Thread